Microsoft announces 'Online Services Bug Bounty Program' - Techie News (UK and Ireland)

Microsoft on Tuesday announced the Microsoft Online Services Bug Bounty Program which offers rewards starting at $500 for “significant web application vulnerabilities found in eligible online service domains.”

Outlook, Office365, Yammer, SharePoint and Lync are some of the participating online services included in the Bug Bounty Program.

According to Microsoft’s terms and conditions for the bug bounty program, Cross-site scripting (XSS), cross-site request forgery (CSRF), cross-tenant data tampering, insecure direct object references, injection flaws, authentication flaws, server-side code execution, privilege escalation, and security misconfigurations are the vulnerability types that are eligible for bounties under the program.

Under the Bug Bounty Program, researchers will be offered a minimum reward of $500 for every qualified vulnerability they submit. The amount could even be more if Microsoft deems it a high-impact flaw.

Microsoft has also issued a list of “flaws” which don’t qualify for the reward program. The list includes:

Missing HTTP Security Headers (such as X-FRAME-OPTIONS) or cookie security flags (such as “httponly”).
Server-side information disclosure such as IPs, server names and most stack traces.
Bugs in the web application that only affect unsupported browsers and plugins.
Bugs used to enumerate or confirm the existence of users or tenants.
Bugs requiring unlikely user actions.
URL Redirects (unless combined with another flaw to produce a more severe vulnerability).
Vulnerabilities in platform technologies that are not unique to the online services in question (Apache or IIS vulnerabilities, for example).
“Cross Site Scripting” bugs in SharePoint that require “Designer” or higher privileges in the target’s tenant.
Low impact CSRF bugs (such as logoff).
Denial of Service issues.
Cookie replay vulnerabilities.

Microsoft announced its first three bug bounty programs last June, offering researchers rewards of up to $150,000 in cash for finding flaws in Windows 8 and Internet Explorer 1.

Megha

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Microsoft announces ‘Online Services Bug Bounty Program’

Leave a Reply Cancel reply